This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Interface pppoe with 2 VLANs

Hi

My setup is like below. External WAN is using PPPoE and VDSL id 500. IPTV is tagged with VLAN 600. I got everything working except for the IPTV. That PC can access the Internet. The iptv box is using DHCP and is unable to receive IP address from the IPTV server on my ISP cloud. I suspect that this is due to the WAN interface, eth1 on Sophos is not tagged with vlan 600. I coud not find a way to assign vlan 600 to eth1 because it only permits me to assign one VLAN ID i.e. 500 on the interface VDSL configuration. Am I missing something or doing it the right way?

 

Here is my configurations so far. VLAN 1 and 600 are on Internal, eth0 interface.  By the way is it ok if that VLAN interfaces are down?

 

VLAN 600

 

WAN - eth1

Internal - eth0

 

Thank you for your help.

 

 

 



This thread was automatically locked due to age.
Parents
  • The only thing I can see is your IPTV port should be untagged and the VLAN 600 on the UTM should have an IP address assigned to it that is in a different range to vlan 1 and vlan 500.

    I have never tried using vlan1 because that is usually assigned the management of the switch. You probably should add another vlan for your PCs. Each VLAN should have its own unique address range.

    You would need to add a firewall rule allowing the IP address of the vlan 600 to access vlan 500 you will also require an MASQ rule vlan 600 to VLAN 500 interface.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for your response. You are right the IPTV port shoud be untagged, my diagram was incorrect but the actual network is untagged.

    Before I introduced the UTM, IPTV and Internet was working fine with the TPLINK only. Before the UTM I was also using VLAN 1 and it was working fine. Below is the config of TPLINK. This configurations is the same before and after UTM. The difference now is the WAN interface.

      

    That PC is connected to Port 3 and IPTV to Port 5. Prior to the UTM, TPLINK has a virtual WAN interface assigned with VLAN interface 500 but I delete it when UTM is in and use UTM eth1 as WAN interface. Port 1 is the one which connects to UTM internal, eth0 port. Do you still think I need to add another VLAN?

    I will try your suggestion first..

     

     

     

  • After doing more searching, I believe it is not possible for the PPPoE interface to have multiple VLANs according to this post:

    PPPoE cannot have multiple VLANs

    As explained by Sachin Gurung the Network Security Engineer 

    "If you check the help doc for UTM; in the interface> Ethernet section it states: For an external connection (e.g., to the Internet) choose the network card with SysID eth1. Please note that one network card cannot be used as both an Ethernet interface and a PPP over Ethernet (PPPoE DSL) or PPTP over Ethernet (PPPoA DSL) connection simultaneously.

    Hence, not possible."

    Hope this helps those facing the same challenge.

  • Maybe it is a limitation of the UTM because a number ISPs use a seperate vlan to send say video over.

    So the normal PPPoE connection is a vlan, so what you are trying is to setup another vlan on the PPPoE, so you could try setting the vlan to 500 and see if authenticates?

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I think that is how my ISP sets is up, a dedicated VLAN for video which in my case vlan 600.

    I have tried changing 500 to 600 to test but the pppoe just won't authenticate.

  • Hi, John, and welcome to the  UTM Community!

    It looks like the only solution is to put a cheap, small switch in between the UTM and the WAN connection and then use a separate interface for untagged.  VLAN 1 is not untagged and, as rfcat_vk says, should not be used.  VLAN 1 is reserved for UTM Wireless Protection so, even though you may not have activated UTM Wireless Protection, it's still prudent to avoid it if possible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • What I do not understand is how it worked in detail before the UTM, did the IPTV and the PC both do PPPoE on their own or what was doing the "dial-in"?

    If the PPPoE interface needs VLAN 500 to authenticate then that is what to configure on the PPPoE interface. But I do not see any need for VLAN 500 on the switch then. VLAN 600 needs to be configured at least as a separate interface with it's own IP range. The switch uplink to UTM has then to be configured VLAN1 untagged and VLAN600 tagged, the IPTV port on the switch has to be untagged VLAN 600. But how did VLAN 600 reach the ISP before?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Hi Sir,

    The UTM is doing the dial-in

    You are right, VLAN500 is not needed on the switch, that is due to my lack of understanding of how VLAN works.

    I think it will work as you suggested, for VLAN 600 as a separate interface but my UTM has only 2 interfaces.

    I think VLAN 600 reached ISP before not through the ppoe authentication but direct Ethernet connection. The IPTV server will authenticate based on the mac address of iptv box tied to my iptv account.

     

    Thanks and regards

Reply
  • Hi Sir,

    The UTM is doing the dial-in

    You are right, VLAN500 is not needed on the switch, that is due to my lack of understanding of how VLAN works.

    I think it will work as you suggested, for VLAN 600 as a separate interface but my UTM has only 2 interfaces.

    I think VLAN 600 reached ISP before not through the ppoe authentication but direct Ethernet connection. The IPTV server will authenticate based on the mac address of iptv box tied to my iptv account.

     

    Thanks and regards

Children
No Data